Did one of the UK’s top spy agencies email potential recruits’ passwords in the open?

Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email. Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment ...

Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.

Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment page they could collect potentially useful information on GCHQ’s future employees.

The kicker: GCHQ is the country’s premier electronic intelligence agency — the government’s cyber security arm and the British equivalent of the National Security Agency. (To be fair, cyber spies would need to know whose email to target to get these passwords, but still.)

The problem was apparently revealed when job applicant Dan Farrall posted an email he got from GCHQ that included his password to his blog. Apparently GCHQ emailed Farrall his password after he filled out a basic ‘Forgot Your Password?’ form on the agency’s recruiting website. (You’d think, at the very least, GCHQ would require users to come up with a new password like plenty of businesses do when you forget yours. Let’s hope they add two-factor authentication soon.)

Cyber security firm Kaspersky Lab’s blog ThreatPostthen wrote up what it says is the agency’s acknowledgement of the security lapse.

"The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it," the agency said, asserting that "only the very small percentage of applicants (who need their accounts reset) are sent a new password" and that those emails come "with clear instructions of how to protect their data."

The GCHQ didn’t clarify whether it was planning on implementing some sort of password reset functionality on its site in place of the password retrieval functionality it currently has in place. The agency also failed to explain how exactly it would approach its users’ privacy from here on out so it’s unclear whether it plans to salt and hash its users passwords going forward.

It looks like The U.K.’s Fort Meade has been a little bit lax on some basic cyber security procedures.